I'm looking into a network access control solution, and I have the following questions:
1- My understanding is that ACS assigns unauthorized assets to a guest vlan/zone, but what happens next if access to resources (such as internet) requires authentication? In other words, does an ACS-only solution imply manual guest access provisioning, as opposed to automatic provisioning with an overlay NAC Guest server?
2- Captive portal vs. Webauth: My understanding is that ACS alone does not provide a captive portal for guests. It only provides a webauth feature that is mainly a fallback authentication mechanism for employees/managed assets, not guests/unmanaged assets. Is this correct?
1. Wrong understanding. ACS does what you tell it to do. It can assign a guest vlan to unknown assets or assign whatever else you like.
What do you mean with an internet access requiring authentication ? If you think about a guest portal, i.e. a web page asking to enter credentials, then ACS doesn't do that, so you have to couple ACS with a Guest Server. That's a bit of a pity because the Guest Server is not a product that will evolve. ISE just do everything in 1.
2. ACS is not a captive portal correct. When you say "it provides a webauth feature that is fallback", it's wrong. ACS doesn't provide anything like that. The switches implement web authentication (or the wireless controllers) and ACS can authenticate the people using that, but ACS is just a radius server saying "yes/no" and giving privileges.
3.ACS has no limitations to support wireless in particular. What the paper says is that ISE provides a captive portal that will be the same for wired or wireless users.
Remember that with ACS, you need to use the captive portal of the switch and WLC or a nac guest server. So not unified.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...